5/24/10. Computer Science IT Security Guest Lecture. Matthew Cook. Agenda

Size: px

Start display at page:

Download "5/24/10. Computer Science IT Security Guest Lecture. Matthew Cook. Agenda"

Clementine Fitzgerald
7 years ago
Views:

1 Computer Science IT Security Guest Lecture 14 th May 2010 Matthew Cook Network and Security Manager for Loughborough University Managing ESISS initiative JANET Contracted Trainer Author of multiple Technical Guides/courses Invited speaker over 50 events in 10 years Personally discovered vulnerabilities in: HP Insight Manager, ExLibris Aleph/MetaLib and Cisco AnyConnect VPN/ASA platform Agenda Why are we playing detective? What are we seeing? How to playing detective. Tools and examples. Network Based Anomaly Detection. Reputational monitoring. Futures. and 1

2 A bit more about Loughborough A 437 acre campus University 3,000 Staff and 15,000 Students 5,500 Study Bedrooms 1,200 network switches/routers 24,000 network connections 650 wireless access points IT Service with 110 FTEs, 13 Network & Security East Midlands Region Network at a Glance 2

3 Why we are playing detective? Investigating Peer to Peer Usage Breach in internal AUP Policy Forensics Required Assistance required by government agency Police Force, CEOP, MI5, HMRC etc RIPA Act - Section 22(4) Data Protection Act - Section 29 For reasons to keep the network available A person with a right to control the system Has the express or implied consent, AUP Policy What are we seeing? A lot of peer to peer traffic External abuse attempts Mis-configured internal devices, printers etc Internal worm outbreaks SPAM bots Internal enquires regarding AUP breach Enquires from government bodies Playing detective on a bigger scale Dealing with Incidents Important to have a policy to follow Incidents dealt with in a uniform manner Appropriate people managing the process Minimum information tracked in Service Desk Verify the requestor Encrypted storage of data Important when sharing data Internally all data gathered from incidents provided to HR or Student Services 3

4 A lot of bandwidth, and growing Tools Experienced Professionals Registration systems NetDISCO Aggregated Logfiles Netflow IDS, replacing Snort Lancope Stealthwatch Orion NPM NetDISCO 4

5 IDS Systems 06/16-05:17: [**] [1:2181:1] P2P BitTorrent transfer [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} *.*:1559 -> : /16-12:22: [**] [1:1432:4] P2P GNUTella GET [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} *.*:4229 -> :6346 Wireless Access Points Wireless Access Points Some are legitimate: SMEs or Sporting Bodies in Innovation Centres, Students Personal Access Points, Vending Machines, Rogue Access Points and Houses surrounding campus. RADAR Unauthenticated Access huntkill]#./trackme *.* Leave IP2MAC with MAC of '00:00:00:00:00:00' Seen 00:00:00:00:00:00 on sox interface Po2 going to box Seen 00:00:00:00:00:00 on box interface Gi1/2 going to beetroot Seen 00:00:00:00:00:00 on beetroot interface Gi0/6 going to cisco-35- zz Seen 00:00:00:00:00:00 on cisco-35-** interface FastEthernet0/15 (seen19 on port) 5

6 Logs, Logs and more Logs Logging is key, trivial to set up, difficult to use... WMF vulnerability in January 2006 Aggregation to a central location: DHCP Servers Authentication Servers Servers Web Servers (VLE, Intranet, VPN) Network Devices Firewalls IDS Servers: AIDE, Tripwire, Snare, HIDS Examples Physical theft of computer RAM Physical theft of whole Computer Malicious x-originating-ip: [ x.x] Hijacked accounts (someone in the room) Research Server Projects Server Photocopier Appliance Devices, things you can t patch! The Beauty of Trend Analysis If it happens to you, it will happen to... Looking at trends within the sector Looking at trends across the global SSH Scans BotNet Controllers Credential dictionary attacks Spam bots 6

7 Network Based Anomaly Detection Lancope StealthWatch Reputational Monitoring THE: University fails to use its own language guidelines in its publications. Pinsent Mason: Domain hijacking/squatting Guardian: University hosting illegal DVDs Twitter: I ve failed to do any work today, due to network outages! Internet based reputational is critical 7

8 What can we monitor? Twitter Web Server Directory List Google Search Default Installs/files Facebook Web Stats Pages BeBo RBL Checks Blogosphere Open SMTP Relay New Sites Recursive DNS Check Wikipedia Web Forgery TheStudentRoom.co.uk Bug-Me-Not WhatUni.com PHP versions RateMyProfessor.com Safebrowsing Alerts YouTube IRC/IRQ Chat Graduate Jobs Forum Much, much more Reputational Monitoring from ESISS Futures Increasing bandwidth 802.1X and NAC Site Visitors VPN Portal Abuse IPv6 SSL Proliferation Encryption Appliances, things you cannot patch! Cloud Computing: SaaS and IaaS Emerging ISO Standards 8

9 Questions, and safe journey home! and 9

Keep you computer running Keep your documents safe Identity theft Spreading infection Data Integrity (DPA: Data Protection Act)

Security Analysis E-Commerce Security 2008 Matthew Cook Network & Security Manager Loughborough University Why bother? Keep you computer running Keep your documents safe Identity theft Spreading infection